You know those Android dialogue boxes that pop up when you first run an app, asking you what permissions you want to give the software? They’re not as useful as we all thought.
New research has revealed that apps are snooping on data including location and the phone’s unique ID number – even when users haven’t given permission.
The research comes from researchers at the University of Calgary, U.C Berkeley. the IMDEA Networks Institute, the International Computer Science Institute (ICSI) and AppCensus, which offers a searchable database detailing the privacy issues with individual apps. Called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, the paper spotted dozens of apps circumventing permissions-based protections in Android to get the data they want.
Android apps must ask for permission to access sensitive resources on the phone, like the GPS, the camera, or the user’s contacts data. When you say that an app can’t access your location data, the operating system can prevent it from doing so because it runs the app in its own sandbox. That also stops the app in question interacting with other apps.
The researchers analysed over 88,000 Android apps to see what data they transmitted from the phone, and where they sent it. They ran the test on a variety of Android systems, with the most recent being Android Pie (2018). They matched this against the permissions that the user had granted the app to see if apps were harvesting data that they shouldn’t be. They found dozens of apps transmitting data they shouldn’t have accessed, along with thousands more containing the code to do so. They reverse engineered the code and found two main methods for circumventing permissions protections.
The first is known as a side channel attack. In this context, they happen when sensitive information is available in more than one place on a mobile phone.
For example, apps are meant to request access to the phone’s GPS if they want location data. However, the researchers found apps accessing the MAC address of the Wi-Fi base stations that the phone connected to by reading a locally stored, unprotected cache. That gave the apps the location data that they needed.
The second, more insidious attack is known as a covert channel, and it’s a communication from one privileged app to another. One app might be allowed to read the phone’s International Mobile Equipment Identity (IMEI), for example, which is a unique identifier for the phone, and could give that data to another app that wasn’t.
The researchers found software libraries from Baidu and South Korean company Salmonads doing this. They used the SD card to store the phone’s IMEI, making it readable to apps that couldn’t access the data directly from the phone.
According to the researchers, the app from image printing service Shutterfly took a novel side channel approach to location harvesting by using the geolocation information stored in an image’s EXIF metadata.
Shutterfly responded, telling us:
If the user allows their images to be tagged with metadata, including geolocation, that information is included with the photos that are either uploaded to the Shutterfly app, or accessed locally on the user’s phone with their express permission.
The app’s use of the data was in accordance with the Android developer agreement, it added.
Between them, the Salmonads and Baidu SDKs provided data to at least 37.5m installed apps that don’t have permission to see it. Salmonads failed to return our request for comment. Baidu couldn’t reply by our deadline.
Serge Egelman, research director in usable security and privacy at ICSI, argued in an email that a lot of consumers would be shocked to find out what was happening, and he pointed out that the paper is hosted on the Federal Trade Commission’s website:
I presented this at an FTC event in order to make them aware of these specific issues. These are clearly deceptive practices, and therefore entirely within the agency’s purview to take action.
What to do?
We’ve been telling you to watch the permissions you give apps on your phone for a long time. It’s still a sensible thing to do, but now that Android users don’t seem to be able to trust apps to follow the rules, what can they do? Egelman was pessimistic:
There’s not much that Android users can do, unfortunately.
There is a way of out this. Google paid the researchers a bug bounty after they disclosed them last year, and has vowed to address many of the issues in the forthcoming Android Q. However, that still leaves many Android users stranded. Egelman warns that the company should treat them as serious security vulnerabilities and offer over-the-air patches rather than addressing them in the next OS. He said:
Privacy shouldn’t be treated like a luxury good, where only those with the money to buy a newer device capable of running Android Q will be protected.
In any case, the problem is more endemic, he concluded, going beyond these two kinds of attack:
It’s also worth noting that permissions don’t regulate many of the persistent identifiers that are used for tracking. Worse, app marketplaces post policies for app developers that are often completely unenforced.